E-Commerce Security and Fraud Protection

E-Commerce Security and Fraud Protection
Learning Objectives
1. Understand the importance and scope of security of
information systems for EC.
2. Describe the major concepts and terminology of EC
security.
3. Learn about the major EC security threats, vulnerabilities,
and technical attacks.
4. Understand Internet fraud, phishing, and spam.
5. Describe the information assurance security principles.
6. Identify and assess major technologies and methods for
securing EC access and communications.
Copyright © 2012 Pearson Education 9-2

Learning Objectives
7. Describe the major technologies for protection of EC
networks.
8. Describe various types of controls and special defense
mechanisms.
9. Describe consumer and seller protection from fraud.
10. Describe the role of business continuity and disaster
recovery planning.
11. Discuss EC security’s enterprisewide implementation
issues.
12. Understand why it is not possible to stop computer crimes.

The Information Security Problem
Information security refers to a variety of
activities and methods that protect information
systems, data, and procedures from any action
designed to destroy, modify, or degrade the systems
and their operations.

What is EC Security?
Computer security in general refers to the
protection of data, networks, computer programs,
computer power, and other elements of computerized
information systems.
We classify computer security into two categories:
generic topics relating to any information system (e.g.,
encryption)
EC-related issues such as buyers’ protection. Attacks
on EC websites, identify theft of both individuals and
organizations

What is EC Security?
In addition to the organizational security
there are also:
 Personal Security: on the web and mostly amid at
individuals
 National Security: attacking critical infrastructures (e.g.
power, nuclear, and water facilities)

Security Risks for 2014 and 2015
 Cyberwars and Cyberespionage Across Borders:
such attack usually is done through viruses, DoS, or
botnets
Cyberwarefare: Online acts of espionage and security
breaches which are done to obtain national material and
information of a sensitive or classiﬁed nature through
the exploitation of the Internet
Sabotage: the use of the Internet to disrupt online
communications with the intent to cause damage
Attacks on SCADA (Supervisory Control and Data
Acquisition) network and NCIs (National
Computational Infrastructure)
Cyberespionage refers to unauthorized spying using a
computer system. Espionage involves obtaining secrets
without the permission of the holder of the information
Security Risks for 2014 and 2015
 Attacking Information Systems
Corporate espionage
Political espionage and warfare
Example: A suspected cyberespionage network

known as GhostNet, compromised computer
systems in 103 countries. The attacks allegedly
came from China

THE DRIVERS OF EC SECURITY PROBLEMS
The Internet’s Vulnerable Design
 The Internet and its network protocols were never intended to
protect against cybercriminals. They were designed to
accommodate computer-based communications in a trusted
community. The Internet is still insecure!
The Shift to Profit-Induced Crimes
 A major driver of data theft and other crimes is the ability to
proﬁt from the theft. Today, stolen data are sold on the black
market
The Increased Volume of Wireless Activities and
the Number of Mobile Devices
 More difficult to protect
 Features such as NFC, Bluetooth, BOYD, etc. can be exploited
by hackers
 Internet underground economy
E-markets for stolen information made up of thousands of
websites that sell credit card numbers, social security
numbers, other data such as numbers of bank accounts,
social network IDs, passwords, and much more.
 Darknet: separate Internet that can be accessed by members only
and it uses different protocols and is not accessible by search
engines
 The Internet Silk Road
 Keystroke logging (keylogging) using a device or software
program that tracks and records the activity of a user in real time
by the keyboard keys they press
 The Dynamic Nature of EC Systems and the Role of
Insiders
 The Sophistication of the Attacks

Basic E-commerce
Security Issues and Landscape
BASIC SECURITY TERMINOLOGY
business continuity plan
A plan that keeps the business running after a disaster
occurs; each function in the business should have a valid
recovery capability plan
cybercrime
Intentional crimes carried out on the Internet
cybercriminal
A person who intentionally carries out crimes over the
Internet

Basic E-commerce
exposure
The estimated cost, loss, or damage that can result if a
threat exploits a vulnerability
fraud
Any business activity that uses deceitful practices or
devices to deprive another of property or other rights
malware (malicious software)
A generic term for malicious software
phishing
A fraudulent process of attempting to acquire sensitive
information by masquerading as a trustworthy entity
Basic E-Commerce
risk
The probability that a vulnerability will be known and
used
social engineering
A type of nontechnical attack that uses some ruse to
trick users into revealing information or performing an
action that compromises a computer or network
spam
The electronic equivalent of junk mail

Basic E-commerce
vulnerability
Weakness in software or other mechanism that
threatens the confidentiality, integrity, or availability of
an asset. It can be directly used by a hacker to gain
access to a system or network
zombies
Computers infected with malware that are under the
control of a spammer, hacker, or other criminal

Basic E-Commerce
THE THREATS, ATTACKS, AND ATTACKERS
Unintentional Threats: human error,
environmental hazards, and malfunctions.
Intentional Attacks and Crimes
The Criminals and Methods
 hacker
Someone who gains unauthorized access to a computer
system
 cracker
A malicious hacker, such as Maxwell, in the opening case, who

may represent a serious problem for a corporation
Basic E-Commerce
THE TARGETS OF THE ATTACKS IN VULNERABLE
AREAS
Vulnerable Areas Are Being Attacked: people,
machines and information systems.
The Vulnerabilities in Business IT and EC Systems:
Technical weaknesses (e.g. unencrypted
communication and organizational weaknesses
(poor training) read page 497.
SECURITY SCENARIOS AND REQUIREMENTS IN E-
COMMERCE
 The Content of Information Security: it’s not only about
preventing and responding to cyber attacks.
Basic E-Commerce
EC Security Requirements
 authentication
Process to verify (assure) the real identity of an individual, computer,
computer program, or EC website
 authorization
Process of determining what the authenticated entity is allowed to

access and what operations it is allowed to perform
 Auditing: storing pieces of information into a (log) file.
 Availability: technology such as load balancing software and
hardware ensure availability.

 nonrepudiation
Assurance that online customers or trading partners cannot falsely

deny (repudiate) their purchase or transaction

Basic E-Commerce
THE DEFENSE: DEFENDERS, STRATEGY, AND
METHODS
 EC security strategy
A strategy that views EC security as the process of preventing
and detecting unauthorized use of the organization’s brand,
identity, website, e-mail, information, or other asset and
attempts to defraud the organization, its customers, and
employees
 deterring measures
Actions that will make criminals abandon their idea of
attacking a specific system (e.g., the possibility of losing a job
for insiders)
Basic E-Commerce
 prevention measures
Ways to help stop unauthorized users (also known as
“intruders”) from accessing any part of the EC system
 detection measures
Ways to determine whether intruders attempted to break into
the EC system; whether they were successful; and what they
may have done
 information assurance (IA) (the ultimate goal of EC secuirity)
The protection of information systems against unauthorized
access to or modification of information whether in storage,
processing, or transit, and against the denial of service to
authorized users, including those measures necessary to
detect, document, and counter such threats
Technical Attack Methods:
From Viruses to Denial of Service
MALICIOUS CODE: VIRUSES, WORMS, AND
TROJAN HORSES
virus
A piece of software code that inserts itself into a host,
including the operating systems, in order to propagate; it
requires that its host program be run to activate it
worm
A software program that runs independently, consuming
the resources of its host in order to maintain itself, that is
capable of propagating a complete working version of
itself onto another machine
 macro virus (macro worm)
A macro virus or macro worm is executed when the
application object that contains the macro is opened or a
particular procedure is executed
 Trojan horse
A program that appears to have a useful function but that

contains a hidden function that presents a security risk
 banking Trojan
A Trojan that comes to life when computer owners visit one of

a number of online banking or e-commerce sites

denial-of-service (DoS) attack
An attack on a website in which an attacker uses
specialized software to send a flood of data packets to
the target computer with the aim of overloading its
resources
page hijacking
Creating a rogue copy of a popular website that shows
contents similar to the original to a Web crawler; once
there, an unsuspecting user is redirected to malicious
websites

botnet
A huge number (e.g., hundreds of thousands) of
hijacked Internet computers that have been set up to
forward traffic, including spam and viruses, to other
computers on the Internet
Malvertising

Nontechnical Methods:
From Phishing To Spam
SOCIAL PHISHING
Sophisticated Phishing Methods
FRAUD ON THE INTERNET
Examples of Typical Online Fraud Attacks
Identity Theft and Identify Fraud
 identity theft
Fraud that involves stealing an identity of a person and then
the use of that identity by someone pretending to be someone
else in order to steal money or get other benefits

CYBER BANK ROBBERIES
Other Financial Fraud
SPAM AND SPYWARE ATTACKS
e-mail spam
A subset of spam that involves nearly identical messages
sent to numerous recipients by e-mail
Typical Examples of Spamming
spyware
Software that gathers user information over an Internet
connection without the user’s knowledge

SOCIAL NETWORKING MAKES SOCIAL
ENGINEERING EASY
How Hackers Are Attacking Social Networks
Spam in Social Networks and in the Web 2.0
Environment

search engine spam
Pages created deliberately to trick the search engine into
offering inappropriate, redundant, or poor-quality search
results
spam site
Page that uses techniques that deliberately subvert a
search engine’s algorithms to artificially inflate the page’s
rankings
splog
Short for spam blog, a site created solely for marketing
purposes
data breach
A security incident in which sensitive, protected, or
confidential data is copied, transmitted, viewed, stolen,
or used by an individual unauthorized to do so

The Information Assurance Model
and Defense Strategy
CIA security triad (CIA triad)
Three security concepts important to information on
the Internet: confidentiality, integrity, and availability
confidentiality
Assurance of data privacy and accuracy; keeping private
or sensitive information from being disclosed to
unauthorized individuals, entities, or processes

integrity
Assurance that stored data has not been modified
without authorization; a message that was sent is the
same message as that which was received
availability
Assurance that access to data, the website, or other EC
data service is timely, available, reliable, and restricted
to authorized users

AUTHENTICATION, AUTHORIZATION, AND
NONREPUDIATION
E-COMMERCE SECURITY STRATEGY
The Objective of Security Defense
Security Spending Versus Needs Gap
Assessing Security Needs
 vulnerability assessment
The process of identifying, quantifying, and prioritizing the
vulnerabilities in a system

penetration test (pen test)
A method of evaluating the security of a computer
system or a network by simulating an attack from a
malicious source, (e.g., a cracker)
EC security programs
All the policies, procedures, documents, standards,
hardware, software, training, and personnel that work
together to protect information, the ability to conduct
business, and other assets

computer security incident management
The monitoring and detection of security events on a
computer or computer network, and the execution of
proper responses to those events. The primary purpose
of incident management is the development of a well
understood and predictable response to damaging
events and computer intrusions.

THE DEFENSE SIDE OF EC SYSTEMS
1. Defending access to computing systems, data flow, and
EC transactions
2. Defending EC networks
3. General, administrative, and application controls
4. Protection against social engineering and fraud
5. Disaster preparation, business continuity, and risk
management
6. Implementing enterprisewide security programs

The Defense I:
Access Control, Encryption, and PKI
access control
Mechanism that determines who can legitimately use a
network resource
Authorization and Authentication
biometric control
An automated method for verifying the identity of a person
based on physical or behavioral characteristics
biometric systems
Authentication systems that identify a person by
measurement of a biological characteristic, such as
fingerprints, iris (eye) patterns, facial features, or voice

The Defense I:
ENCRYPTION AND THE ONE-KEY (SYMMETRIC)
SYSTEM
 encryption
The process of scrambling (encrypting) a message in such a
way that it is difficult, expensive, or time-consuming for an
unauthorized person to unscramble (decrypt) it
 plaintext
An unencrypted message in human-readable form
 ciphertext
A plaintext message after it has been encrypted into a
machine-readable form

The Defense I:
encryption algorithm
The mathematical formula used to encrypt the plaintext
into the ciphertext, and vice versa
key (key value)
The secret code used to encrypt and decrypt a message
key space
The large number of possible key values (keys) created
by the algorithm to use when transforming the message

The Defense I:
symmetric (private) key encryption
An encryption system that uses the same key to encrypt
and decrypt the message
Data Encryption Standard (DES)
The standard symmetric encryption algorithm
supported by the NIST and used by U.S. government
agencies until October 2000

The Defense I:
public key infrastructure (PKI)
A scheme for securing e-payments using public key
encryption and various technical components
public (asymmetric) key encryption
Method of encryption that uses a pair of matched keys—a
public key to encrypt a message and a private key to decrypt
it, or vice versa
public key
Encryption code that is publicly available to anyone
private key
Encryption code that is known only to its owner

The Defense I:
digital signature or digital certificate
Validates the sender and time stamp of a transaction so
it cannot be later claimed that the transaction was
unauthorized or invalid
hash function
A mathematical computation that is applied to a
message, using a private key, to encrypt the message
message digest (MD)
A summary of a message converted into a string of digits
after the hash has been applied

The Defense I:
digital envelope
The combination of the encrypted original message and
the digital signature, using the recipient’s public key
certificate authorities (CAs)
Third parties that issue digital certificates
Secure Socket Layer (SSL)

The Defense II:
Securing E-Commerce Networks
firewall
A single point between two or more networks where
all traffic must pass (choke point); the device
authenticates, controls, and logs all traffic
packet
Segment of data sent from one computer to another on a
network
The Dual Firewall Architecture: The DMZ

The Defense II:
personal firewall
A network node designed to protect an individual user’s
desktop system from the public network by monitoring
all the traffic that passes through the computer’s
network interface card
Additional Virus, Malware, and Botnet Protection

The Defense II:
virtual private network (VPN)
A network that uses the public Internet to carry
information but remains private by using encryption to
scramble the communications, authentication to ensure
that information has not been tampered with, and access
control to verify the identity of anyone using the network
 protocol tunneling
Method used to ensure confidentiality and integrity of data
transmitted over the Internet by encrypting data packets,
sending them in packets across the Internet, and decrypting
them at the destination address

The Defense II:
intrusion detection system (IDS)
A special category of software that can monitor activity
across a network or on a host computer, watch for
suspicious activity, and take automated action based
on what it sees
Dealing with DoS Attacks
 Cloud Computing Prevents DoS Attacks

The Defense II:
honeynet
A network of honeypots
honeypot
Production system (e.g., firewalls, routers, Web
servers, database servers) that looks like it does real
work, but that acts as a decoy and is watched to study
how network intrusions occur
E-Mail Security

The Defense III: General Controls, Internal Controls,
Compliance, and Other Defense Mechanisms
general controls
Controls established to protect the system regardless
of the specific application; for example, protecting
hardware and controlling access to the data center are
independent of the specific application
application controls
Controls that are intended to protect specific
applications

GENERAL, ADMINISTRATIVE, AND OTHER
CONTROLS
 Physical Controls
 Administrative Controls
APPLICATION CONTROLS AND INTELLIGENT
AGENTS
 intelligent agents
Software applications that have some degree of reactivity,
autonomy, and adaptability—as is needed in unpredictable
attack situations; an agent is able to adapt itself based on
changes occurring in its environment

PROTECTING AGAINST SPAM
Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-SPAM) Act
Law that makes it a crime to send commercial e-mail
messages with false or misleading message headers or
misleading subject lines

PROTECTING AGAINST POP-UP ADS
PROTECTING AGAINST SOCIAL ENGINEERING
ATTACKS
Protecting Against Phishing
Protecting Against Malvertising
PROTECTING AGAINST SPYWARE
Using Policies and Training

Business Continuity, Disaster Recovery,
Security Auditing, and Risk Management
BUSINESS CONTINUITY AND DISASTER
RECOVERY PLANNING
disaster avoidance
An approach oriented toward prevention, the idea is to
minimize the chance of avoidable disasters (such as fire
or other human-caused threats)

Business Continuity, Disaster Recovery,
Security Auditing, and Risk Management
RISK-MANAGEMENT AND COST–BENEFIT
ANALYSIS
Risk-Management Analysis
Calculating the Cost of a Fraud-Prevention System
Ethical Issues

Implementing
Enterprisewide E-Commerce Security
THE DRIVERS OF EC SECURITY MANAGEMENT
SENIOR MANAGEMENT COMMITMENT AND
SUPPORT
Unified Front

Implementing
EC SECURITY POLICIES AND TRAINING
 acceptable use policy (AUP)
Policy that informs users of their responsibilities when using
company networks, wireless devices, customer data, and so
forth
EC SECURITY PROCEDURES AND ENFORCEMENT
 business impact analysis (BIA)
An exercise that determines the impact of losing the support of
an EC resource to an organization and establishes the escalation
of that loss over time, identifies the minimum resources needed
to recover, and prioritizes the recovery of processes and
supporting systems

Implementing
WHY IS IT DIFFICULT TO STOP INTERNET
CRIME?
Making Shopping Inconvenient
Lack of Cooperation from Credit Card Issuers and
ISPs
Shoppers’ Negligence
Ignoring EC Security Best Practices
 Computing Technology Industry Association (CompTIA)
Nonprofit trade group providing information security
research and best practices

Implementing
Design and Architecture Issues
Lack of Due Care in Business Practices
 standard of due care
Care that a company is reasonably expected to take based on
the risks affecting its EC business and online transactions

Managerial Issues
1. What is the best EC security strategy for my company?
2. Is the budget for EC security adequate?
3. What steps should businesses follow in establishing a
security plan?
4. Should organizations be concerned with internal security
threats?
5. What is the key to establishing strong e-commerce
security?

Summary
1. The key to establishing strong e-commerce security
2. Basic EC security issues and terminology
3. Threats, vulnerabilities, and technical attacks
4. Internet fraud, phishing, and spam
5. Information assurance
6. Securing EC access control and communications

Summary
7. Technologies for protecting networks.
8. The different controls and special defense
mechanisms.
9. Protecting from fraud.
10. Role of business continuity and disaster recovery
planning.
11. Enterprisewide EC security.
12. Why is it impossible to stop computer crimes?

All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written
permission of the publisher. Printed in the United States of America.
Copyright © 2012 Pearson Education

E-Commerce Security and Fraud Protection

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

E-Commerce Security and Fraud Protection

Uploaded by

Copyright:

Available Formats

E-Commerce Security and Fraud Protection

Copyright © 2012 Pearson Education 9-2

Copyright © 2012 Pearson Education 9-3

Copyright © 2012 Pearson Education 9-4

Copyright © 2012 Pearson Education 9-5

power, nuclear, and water facilities)

Copyright © 2012 Pearson Education 9-6

Example: A suspected cyberespionage network

Copyright © 2012 Pearson Education 9-8

Copyright © 2012 Pearson Education 9-11

Copyright © 2012 Pearson Education 9-12

Copyright © 2012 Pearson Education 9-14

Copyright © 2012 Pearson Education 9-15

A malicious hacker, such as Maxwell, in the opening case, who

Process of determining what the authenticated entity is allowed to

 Availability: technology such as load balancing software and

hardware ensure availability.

Assurance that online customers or trading partners cannot falsely

Copyright © 2012 Pearson Education 9-19

A program that appears to have a useful function but that

A Trojan that comes to life when computer owners visit one of

Copyright © 2012 Pearson Education 9-25

Copyright © 2012 Pearson Education 9-26

Copyright © 2012 Pearson Education 9-27

Copyright © 2012 Pearson Education 9-29

Copyright © 2012 Pearson Education 9-31

Copyright © 2012 Pearson Education 9-32

Copyright © 2012 Pearson Education 9-34

Copyright © 2012 Pearson Education 9-35

Copyright © 2012 Pearson Education 9-36

Copyright © 2012 Pearson Education 9-37

Copyright © 2012 Pearson Education 9-39

Copyright © 2012 Pearson Education 9-40

Copyright © 2012 Pearson Education 9-42

Copyright © 2012 Pearson Education 9-43

Copyright © 2012 Pearson Education 9-44

Copyright © 2012 Pearson Education 9-45

Copyright © 2012 Pearson Education 9-47

Copyright © 2012 Pearson Education 9-48

Copyright © 2012 Pearson Education 9-49

Copyright © 2012 Pearson Education 9-51

Copyright © 2012 Pearson Education 9-52

Copyright © 2012 Pearson Education 9-54

Copyright © 2012 Pearson Education 9-55

Copyright © 2012 Pearson Education 9-56

Copyright © 2012 Pearson Education 9-57

Copyright © 2012 Pearson Education 9-58

Copyright © 2012 Pearson Education 9-60

Copyright © 2012 Pearson Education 9-62

Copyright © 2012 Pearson Education 9-63

Copyright © 2012 Pearson Education 9-64

Copyright © 2012 Pearson Education 9-66

Copyright © 2012 Pearson Education 9-67

Copyright © 2012 Pearson Education 9-68

Copyright © 2012 Pearson Education 9-69

Copyright © 2012 Pearson Education 9-70

Copyright © 2012 Pearson Education 9-71

Copyright © 2012 Pearson Education 9-72

Copyright © 2012 Pearson Education 9-73

Copyright © 2012 Pearson Education

Copyright © 2012 Pearson Education 9-74

You might also like